Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "Middleware issues and solutions"

From EGIWiki
Jump to navigation Jump to search
Line 22: Line 22:


== CREAM refuses Terena-signed VOMS proxies ==
== CREAM refuses Terena-signed VOMS proxies ==
TERENA eScience SSL CA sets ''pathlen'' attribute among its ''basic constraints''
(see http://www.openssl.org/docs/apps/x509v3_config.html).
This triggers a bug in VOMS java API
(the API incorrectly applies the policy on checking the chain of the attribute certificate),
which is used by CREAM,
resulting in errors on job submission:
    FATAL - User  <user's DN> not authorized for operation {http://www.gridsite.org/namespaces/delegation-2}getProxyReq
A workaround is not using TERENA eScience SSL CA signed certificates
as host certificates of VOMS servers.
The problem is fixed in voms-api-java-2.0.5, released in EMI.
A backport to gLite 3.2 is unofficially available
with unreleased patch [[https://savannah.cern.ch/patch/?4997 #4997]]
(no gLite 3.2 update is expected).
GGUS ticket [[https://ggus.eu/tech/ticket_show.php?ticket=76129 #76129]]


= VOMS =
= VOMS =

Revision as of 13:54, 15 November 2011

Main EGI.eu operations services Support Documentation Tools Activities Performance Technology Catch-all Services Resource Allocation Security


Documentation menu: Home Manuals Procedures Training Other Contact For: VO managers Administrators


Purpose of this page is to document recurring middleware issues with broad impact and the respective solutions and/or workarounds.

This page is maintained by the Distributed Middleware Support Unit of EGI.

Distribution Affected Product Date Title
EMI VOMS July 17, 2011 VOMS server fails with high number of VOs

CREAM

CREAM refuses Terena-signed VOMS proxies

TERENA eScience SSL CA sets pathlen attribute among its basic constraints (see http://www.openssl.org/docs/apps/x509v3_config.html).

This triggers a bug in VOMS java API (the API incorrectly applies the policy on checking the chain of the attribute certificate), which is used by CREAM, resulting in errors on job submission:

   FATAL - User  <user's DN> not authorized for operation {http://www.gridsite.org/namespaces/delegation-2}getProxyReq

A workaround is not using TERENA eScience SSL CA signed certificates as host certificates of VOMS servers.

The problem is fixed in voms-api-java-2.0.5, released in EMI. A backport to gLite 3.2 is unofficially available with unreleased patch [#4997] (no gLite 3.2 update is expected).

GGUS ticket [#76129]

VOMS

VOMS server fails with high number of VOs

VOMS server of gLite 3.2 is more memory greedy, it starts failing when configured to serve more than 10 (approx.) VOs.

Change -XX:MaxPermSize parameter of CATALINA_OPTS to the value of at least 512m in /etc/tomcat5/tomcat5.conf

 CATALINA_OPTS="-Xmx1508M -server -Dsun.net.client.defaultReadTimeout=240000 -XX:MaxPermSize=512m"

and add

 * soft nofile 2048
 * hard nofile 2048

into /etc/security/limits.conf.

GGUS ticket #72136

WMS

Storage Element

BDII does not start at SE node

BDII daemon does not start correctly at SE node, yielding the service not to be published to GOC, etc. Symptoms are error messages:

  # service ldap restart
  Stopping slapd: [ OK ]
  Checking configuration files for slapd: bdb_db_open: Warning - No
  DB_CONFIG file found in directory /var/lib/ldap: (2)
  Expect poor performance for suffix dc=my-domain,dc=com.
  config file testing succeeded
  [ OK ]
  Starting slapd: [ OK ]

The problem is caused by settting the BDII_USER variable in site-info.def, which causes incorrect permission settings on some files slapd uses. This variable should not be set at SE nodes, it's intended for BDII node only.

GGUS ticket [#73086]